Documentation - fact missing in SSL generation guide - certificate chain

Bug #1403552 reported by Jacob Gustafson
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu Server Guide
New
Undecided
Unassigned

Bug Description

Hello, please consider this a documentation issue and resolve: The Ubuntu server guide page "Certificates and Security" at https://help.ubuntu.com/lts/serverguide/certificates-and-security.html does not say which file can be used as a certificate chain, such as for the value of SSLCertificateChainFile in /etc/apache2/sites-enabled/default-ssl.conf -- I can not find any information on this issue, and some browsers apparently block the action (even though users would normally just store an exception for a self-signed certificate, the browser also notices that there is not complete information about the server since Apache was not given a chain file PEM format--this browser issue is reported by some people on the internet when searching google for "chain file required apache"). Apache says it wants "a file containing the concatenation of PEM encoded CA certificates which form the certificate chain for the server certificate", so one could blindly add the pem file generated during the "Certification Authority" section of the page, which does not say whether that is a certificate chain file or how to generate a certificate chain file. Following the instructions and assuming the pem file can be given to Apache may or may not be a security risk, and it is the only pem file that the page gives instructions on how to generate (feel free to uncheck this as a security risk if following the server guide page then giving that pem file to Apache does not result a security risk).

Please update the page on ubuntu.com (link above) to clarify that the pem file is a chain file that can be used for the value of SSLCertificateChainFile in /etc/apache2/sites-enabled/default-ssl.conf or to clarify how to generate a chain file.

Revision history for this message
Peter Matulis (petermatulis) wrote :

I removed the security aspect of this bug. Only the security team should use that.

information type: Private Security → Public
Revision history for this message
Jacob Gustafson (poikilos) wrote :

I edited the original post to make it more clear.

description: updated
description: updated
description: updated
Revision history for this message
Peter Matulis (petermatulis) wrote :

@Jacob

Thanks a lot for your help. I'll try to get to it soon. If you want, you can help further by proposing actual text.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.